Description of problem:
Summary
SELinux is preventing /usr/bin/mugshot (user_mugshot_t) "connectto" to
<Unknown> (user_dbusd_t).
Detailed Description
SELinux denied access requested by /usr/bin/mugshot. It is not expected that
this access is required by /usr/bin/mugshot and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.
Allowing Access
You can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context user2_u:user_r:user_mugshot_t:s0
Target Context user2_u:user_r:user_dbusd_t:s0
Target Objects None [ unix_stream_socket ]
Affected RPM Packages mugshot-1.1.56-1.fc8 [application]
Policy RPM selinux-policy-3.0.8-24.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.23.1-23.fc8 #1 SMP
Wed Oct 17 18:12:05 EDT 2007 i686 i686
Alert Count 15
First Seen Thu Oct 18 14:30:43 2007
Last Seen Fri Oct 19 12:42:30 2007
Local ID 8c6eb477-1516-4653-b770-babec800d894
Line Numbers
Raw Audit Messages
avc: denied { connectto } for comm=mugshot egid=512 euid=511
exe=/usr/bin/mugshot exit=-13 fsgid=512 fsuid=511 gid=512 items=0
path=002F746D702F646275732D6A443559614E50647141 pid=8464
scontext=user2_u:user_r:user_mugshot_t:s0 sgid=512
subj=user2_u:user_r:user_mugshot_t:s0 suid=511 tclass=unix_stream_socket
tcontext=user2_u:user_r:user_dbusd_t:s0 tty=(none) uid=511
Was caused by:
Missing or disabled TE allow rule.
Allow rules may exist but be disabled by boolean settings; check
boolean settings.
You can see the necessary allow rules by running audit2allow
with this audit message as input.
How reproducible:
Create a policy for a domain that uses dbus. Run the confined domain as user_r.
Steps to Reproduce:
1. Create a policy for a application domain that uses dbus.
2. Run the domain as user_r
Actual results:
Cannot connect to session bus
Expected results:
Not sure. I hoped that these domains would run for a user in the user_r space,
Additional info:
allow user_mugshot_t user_dbusd_t:unix_stream_socket connectto;
will not allow this access.
mono_t is also not able to do this when you run mono_t as user_r.